Data Processing Agreement

{{company_name}}

{{company_address}}

Phone: {{phone}} | Email: {{email}} | Web: {{website}}

Data Processing Agreement

Data Processing Agreement

{{company_name}} {{company_address}} Phone: {{phone}} Email: {{email}} Website: {{website}}

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“Agreement”) is entered into between:

1. {{controller_company_name}}, a company registered under the laws of {{controller_jurisdiction}}, with its principal place of business at {{controller_address}} ("Controller"); and

2. {{processor_company_name}}, a company registered under the laws of {{processor_jurisdiction}}, with its principal place of business at {{processor_address}} ("Processor").

Controller and Processor are hereinafter collectively referred to as the “Parties” and individually as a “Party”.

1. DEFINITIONS

1.1. “Applicable Data Protection Laws” means all laws and regulations, including laws and regulations of the Southern African region, applicable to the processing of Personal Data under the Agreement, including but not limited to, the Protection of Personal Information Act No. 4 of 2013 (POPIA) in South Africa, to the extent applicable.

1.2. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller as part of the Services.

1.3. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4. “Services” means the services provided by the Processor to the Controller as described in the main agreement between the Parties.

1.5. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.

2. DETAILS OF DATA PROCESSING

2.1. Categories of Data Subjects: {{categories_of_data_subjects}}

2.2. Categories of Personal Data: {{categories_of_personal_data}}

2.3. Nature and Purpose of Processing: {{nature_and_purpose_of_processing}}

2.4. Duration of Processing: Personal Data will be processed for the duration of the Services, and thereafter as required by law or the main agreement.

3. OBLIGATIONS OF THE PROCESSOR

3.1. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by Applicable Data Protection Laws. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3.4. The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights.

3.5. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (or equivalent provisions under Applicable Data Protection Laws) taking into account the nature of processing and the information available to the Processor.

3.6. The Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of Services relating to processing, and delete existing copies unless Applicable Data Protection Laws require storage of the Personal Data.

4. SUB-PROCESSING

4.1. The Processor shall not engage another processor (“Sub-Processor”) without prior specific written authorisation of the Controller. Where the Processor engages a Sub-Processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-Processor by way of a contract or other legal act.

4.2. The Processor shall maintain an up-to-date list of its Sub-Processors, which shall be made available to the Controller upon request.

5. DATA BREACH NOTIFICATION

5.1. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Such notification shall at least: (a) describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the Personal Data breach; (d) describe the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

6. AUDIT RIGHTS

6.1. The Controller shall have the right to conduct audits, including inspections, of the Processor’s premises, systems, and records relevant to the processing of Personal Data, upon reasonable prior notice, to verify the Processor’s compliance with its obligations under this Agreement.

7. LIABILITY

7.1. Each Party’s liability under this Agreement shall be as set forth in the main agreement between the Parties. In the event of any conflict between the liability provisions of this Agreement and the main agreement, the provisions of the main agreement shall prevail.

8. GOVERNING LAW AND JURISDICTION

8.1. This Agreement shall be governed by and construed in accordance with the laws of {{governing_law_jurisdiction}}.

8.2. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of {{governing_law_jurisdiction}}.

SIGNATURES

IN WITNESS WHEREOF, the Parties hereto have executed this Data Processing Agreement as of the date first written above.

FOR THE CONTROLLER: ____________________________ Name: {{controller_signatory_name}} Title: {{controller_signatory_title}} Date: {{controller_signature_date}} FOR THE PROCESSOR: ____________________________ Name: {{processor_signatory_name}} Title: {{processor_signatory_title}} Date: {{processor_signature_date}}